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SECURE WEB BROWSER BASED SYSTEM ADMINISTRATION 
FOR EMBEDDED PLATFORMS 

RELATED APPLICATION 
This application claims the benefit of U.S. Provisional Application No. 60/454,582, 
filed March 14, 2003, and incorporated herein by reference. 

1 . Field of the invention 

The invention relates to a method for providing configuration changes in a network 
access point, and in particular, provides a method in a WLAN environment where an access 
point and a stationary computer or a mobile terminal maintaining a web browser utilizes an 
ActiveX control or a plug-in to enhance a security mechanism without relying on HTTPS 
protection during remote management and administration processing. 

2. Description of Related Art 

The context of the present invention is to securely access networks, such as the World 
Wide Web, through another network, including wireless local area networks or (WLAN) 
having an access point that provides access for a stationary computer or a mobile termina'l 
devices and to other networks, such as hard wired local area and global networks, such as the 
Internet. Advancements in WLAN technology have resulted in the publicly accessible 
wireless communication at rest stops, cafes, libraries and similar public facilities ("hot spots") 
Presently, public WLANs offer mobile communication device users access to a private data 
network, such as a corporate intranet, or a public data network such as the Internet, peer-to- 
peer communication and live wireless TV broadcasting. The relatively low cost to implement 
and operate apublic WLAN, as well as the available high bandwidth (usually in excess of 10 
Megabits/second) makes the public WLAN an ideal access mechanism, through which 
mobile wireless communications device users can exchange packets with an external entity 
However as will be discussed below, such open deployment may compromise security unless 
adequate means for identification and authentication exists during regular communications 
and in processing remote management and administrative functions. 

In a web browser based authentication method, a stationery computer or a mobile 
tenninal communicates with an access point (AP), using a web browser operating with the 
Hyper Text Transfer Protocol Secured Sockets (HTTPS) protocol insures that anyone on the 
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path between the mobile terminal and the AP cannot trespass upon or steal confidential user 
information. 

Remote system management/administration is a key requirement on any type of 
computer systems. Using web browsers (HTTP protocol) as the interface for remote 
management is becoming an essential management feature. In order to provide secure browser 
based remote management, HTTPS is the natural choice. However, for embedded systems, 
such as WLAN access points, the resource requirement on HTTPS may be too great 
consuming large amounts of storage space and requires corresponding overhead support and 
CPU power. In fact these limitations have historically prevented the development of a 
practical solution to a secure browser based administration mechanism. For example, most of 
today's commercially available wireless access points do not protect the remote 
administration exchanges between the browsers and the access points. A would be hacker 
might easily obtain administrator passwords and damage the access points. 

HTTPS is designed for communication protocols where neither a browser nor a web 
server have pre-established authentication codes such as confidential passwords known only 
by the client terminal and the authentication server. This assumption of confidentiality is 
absolutely necessary in the web applications in which tens of millions of browsers may access 
millions of servers, but do not have a prior trust relationship. Thus a large use HTTPS requires 
a certificate on the server to provide a secure negotiation between the browser and the server, 
and the establishment of a shared secret code for subsequent HTTP communication. In the 
remote system administration case, the administrator and the remote device can pre-share a 
secret, thus removing one source of overhead associated with HTTPS communication. 
However, since the web browser does not offer the necessary secure communication 
mechanism based on such a shared secret, it would be a desirable feature for a processor to 
provide the security through the use of an ActiveX control or functionally equivalent plug-in. 
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SUMMARY OF THE INVENTION 

The invention herein provides a method for improving security during a remote 
administration exchange between a client device using a browser and an access point of a ' 
network. In particular, the invention provides a method for securely exchanging 
administration change requests between a client device and an access point of a wireless 
network (WLAN). The WLAN may comprise a network that complies with IEEE 802.1 1 
standards. The administration change involves the use of parameters for ensuring that 
received administration information is received from an appropriate client terminal. 
Generally, when a request for administration management file, such as a web page, is 
received, the access point of the network also generates and transmits to the client terminal a 
first parameter, for example, a random number. The first parameter may be generated in 
response to a challenge following the request for the administration management file. 



Using a predetermined algorithm, such as the MD5 hash function, a new parameter is 
generated from certain parameters. The parameters may include the first parameter, which 
may be a random number generated by the access point. For greater security, the new 
parameter may be generated from several parameters, including a password associated with 
the client terminal, the first parameter, and a string parameter, which may, for example, be 
20 generated from the new administration information. The new parameter is transmitted from 
the client terminal to the access point, which then generates a corresponding new parameter 
using the parameters used by the client terminal. If the parameters match, the access point 
accepts the new administration information and implements them. In this manner, greater 
^ security is provided by using a verification parameter with the new administration 

information, which verification parameter is generated using parameters that are known to the 
client terminal and the access point. 

In an embodiment of the present invention an administrator utilizes a browser to 
request an a(lministrative web page form, typically designed as a Hyper Text Markup 
Language (HTML) form, from a remote embedded platform, such as an AP, which contains 
fields where the administrator can provide information relevant to obtaining a secure 
communication with the network. The web page form includes fill-in management 
information, which when complete is submitted to the remote embedded platform by invoking 
a real time operator, such as may be provided by a Javascript code, to package the information 
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into a string. The real time operator invokes a plug-in security function having a 
predetermined character string as one parameter; prompting the security function to 
communicate with a remote system. 

Upon receiving a request from the plug-in on the user/mobile terminal, the remote 
system generates a random number and stores the number for future reference It also 
communicates the number to the administrator. The administrator security function 
concatenates the random number, an administrator password (previously stored in the plug-in) 
and the string parameter. Thereafter, a digest, such as a Message 5 digest <MD5), is generated 
for the concatenated result and is returned to the security function. The process includes 
utilizing the real time operator such as Javascript to then embed the result from the security 
function into the form containing the management information and sends the form to the 
remote computer, thereby completing the submission. The remote computer utilizes the stored 
random number, the password and the received data to generate an MD5 digest. If the digest 
matches the received digest then the requested administration is granted and the system is 
appropriately updated. In subsequent communication where management information is to be 
communicated from the administrator to the remote computer, the remote computer first 
generates a random number to be thereafter utilized by the administrator in a Message 5 digest 
(MD5). In each case, the remote system digest is then compared to the received digest and if 
the digest matches the received digest, then the requested administration request is granted 
and the system is updated accordingly. 

BRIEF DESCRIPTION OF THE DRAWINGS 



The invention is best understood from the following detailed description when 
connection with the accompanying drawing. The various features of the drawing 



read in 
;s are not 



specified exhaustively. On the contrary, the various features may be arbitrarily expanded or 
reduced for clarity. Included in the drawing are the following figures: 

30 FIG. 1 is a block diagram of a communications system for practicing the method of the 
present invention. 
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Ha 2 is a flow diagram of an embodiment of me present invention for securing a 
communication access. s 

Ha 3a is a flow diasran, of an embodiment of the present invenlion &r 
communication access. ng a 

HO. 3b is a flow diagmm of an embodiment of the present immtion fm 
communication access. curing a 

DETAILED DESCRIPTION OF THE INVENTION 
In the figures to be discussed the circuits and associated h1n,ir-c a 

Alternatively, one or more associated arrows mavrenr^nt. . . 

u . „ UWi may represent communication (e e data fl-wv 

systems. The mventton provides a method to , * 

algorithms in the administrative system having th, h , 31 

form data, fin- exantpie, as a hidden fie.d ^ "* ^ * «» 

In accordance,™, one or more mobfle tetraintUs presented by 140, thmogh 
140. communicate via wireless medium 124 to an access nointlM i , 
association with firewalls 122 »nH C ° mpl " er I20 ' to 

server 150 22 -*"»«"«» 150,,, such as authentication 

server 150„. . Communication from terminals 140 n 

base or otirer resourees, utilizing the " 

S uie internet 1 10 and associated communication paths 154 
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In accordance with the present principles, the an access 160 enables each «»« 

~:ern:^ to T^ ftea ^ aVef0mSaa, ^ a — ^cflowh^en 
^ i ^ " S . COn — " ~~ — Sn snch gateways 

,h,,, „=„ eMlrPandnon - H TTPc 0 mmun.eation routing. The manner i, »Mc>. 
w dteaccess 160 enables such secure access can best he understood h y reference to Ha 7 

More specifically, with reference to FIG 2 and FTf? „ 
*u . " * ltj - 3a » a method in accordant xuin, 

*. a ~vennon an adulter utiles temunals , 40,, and a browser to «<, 

«rr ebPa8ef0nn - » <fei — H.perTe.tMarlrupJ^ 0 
> 5 whe^e 2 " rem ° te embCddKi ^ <«* ^ '*»• — fields 

w,«h fire network. Upo „ rece.v mg the form 2! 5, the web page form fiUed-in with reouesL 

P ttorm (e.g., AP 130) by mvokmg a real time operator, such as may be provided by a 
JavaScnp, code, «o package 230 the information mm a string The rea. time „ . 
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a ran, ^ ^a" 1 ^e(s), the user/mobile terminal _ 

iAn «, , lwc reference. It also communicates 

340 the number to the administiator ,40,.. The administrator .40,, security function 
conca.na.es 2*0 the random number, an admin^ password (previous* ^ ^ ta 
the plug-m and me string paramCer. Thereafter, a digea,, such as a Message 5 digest 
■a generated 270 for fire concatenated reau,, and is returned m the security fJ^T 

275 me form to remo«e embedded p,atfonn (e.g., AP ,30), thereby competing the 
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served data ,o generate 350 a MD5 digest !f the digest matches 355 the mceived digest then 

^ ,S *— 356 - * — *~ «— «— where manage!, infol" 
130), *e remote embedded platform (e.g., AP ,30) fim, generates a random n umber o be 

embed" " UDderc, ° <>d ** f0rm ° f ta ™ , " i - * ShoWn is T • I"*— 
^bothment Vanous ehaages may be made in me Amotion and arrangement If pL 

Cmvaien. means may be substituted f or those iHustrated and described; and eerTLures 

may be used mdependently horn other, wit hou, deparung hom me spWt an d 

mventton as defined in the following elates. scope of the 
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1- A method for exchanging administration management information with a client 
terminal in a wireless network, comprising the steps of: 

receiving by an access point (AP) a request for an administration management fi le 
from the client terminal; 

transmitting by the AP the administration management file to the client terminal; 
generating by the AP and transmitting by the AP to the client terminal a first 
parameter; 

receiving by the AP new administration infonnation and a second parameter from the 
client terminal; 

generating by the AP a third parameter using a predetermined algorithm and the first 
parameter; 

comparing by the AP the third parameter to the second parameter; and 
implementing the new administration information in response to the comparing step. 

2. The method according to claim 1, wherein the wireless network is a wireless local area 
network (WLAN) in accordance with IEEE 802.1 1 standards, the client terminal is a mobile 
terminal within a coverage area of the WLAN, and the administration management file 
comprises an administration web page. 

3. The method according to claim 2, wherein the first parameter is a random number. 

4. The method according to claim 3, wherein the step of generating a third parameter 
comprises generating the third parameter using a hash function and the first parameter. 

5. The method according to claim 3, wherein the step of generating a third parameter 
comprises generating a third parameter using a hash function, the first parameter, a password, 
and a string parameter. 

6. The method according to claim 5, wherein the string parameter corresponds to the new 
administration infonnation. 
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8. An access point in a wireless network, comprising: 

a transceiver for connnnnicating with a client terminal- 

admin' 77' * *"~*^ ** —*« «" "« ,o transmit an 

paramet"! ZT" ","T " "*« " «er to transmit the tW 

IdminZr^ J' 6 *» client tormina, new 

auministratton information and a second parameter; 

means for generating a third parameter in response to me fits, parameter an H 
comparing the third parameter to the second parameter; and ' 

compart " i """ emen ' inS " «— — «■ ~ » - 

mobile termhT^ ™ B 8 ° 2 ' ' * e <*-« terminal is a 

mobile terminal within a coverage area of the WLAN 3 nH th. . ^ 

comprises an administration web page. admnnstration management file 

nlber^dT 5 '° ^ >■ - ** Parameter is a random 

11. The access point according to claim 1 0 where,n a. 

the new adminis^ ^ ' *" *"« «™*«* to 



the new administration information 

30 L in A T eXChan8il ' g —~ infomration with an access 

pom, m a wireless networlc using a client terminal, comprising die steps of 

transmitting a reqoes, for an administration management file to the access point- 
recervmg the administiation management file fimn me access point- 
receiving a first parameter fi-om the access point; 
generating new administration infonnation in response to nser input; 

ifl.i'r'.T^-,. „ 
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Parame ~ 8 3 8eC ° nd Parame,er USfag 3 - algorithm and «hc first 

access ,^ g * e ^ P ^^ te »-^^««^oa tott ,e 

i neirrtr^ 8 10 ciaim i2> " * ~ - ■ ^ 

^ct^T^ " accordance "* EEE 802 1 1 s — • -» *" ' — 

mcb, Ie ™ comphant w.th the BEE 802. , , standards, ^ admini8tration 
...~»8cmem me is an administration web page. 

password and a string parameter. 
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transeeiver for communicating with the aeeess point- 
™°»P>*»*e«ransceiverforcau S h«^^ 

means for generating new adminiatradon information in ^se to user input- 
»eans for generating a seeond parameter using a predefcnnined algorithm and'the futt 



parameter; 
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means for causing the transceiver to transmit to th»^ • 
- ft. new adrainistranon information. """ — " ~ 

19. The client terminal according to claim 1 s «a • 

local area network wla™ • * ' rei " °" Wi " leSS netwo * " a wireless 

-^^.L^rjT ^^^^ 

20. The client terminal according to claim 1 9 wW«„ *. 

using a nasn fonction and me nra, pLjT " ~" * 

21. The client terminal according to claim 1 o • 
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